How to Identify Log Sources Required to Expose Specific Activity in Azure Sentinel

From time-to-time, customers ask about an MVP - or Minimum Viable Product - when discussing standing up Azure Sentinel. An MVP would be the base configuration (with all connectors, analytics rules, workbooks, etc.) for the environment. Unfortunately, this is a gray area, and it concludes with the most famous Microsoft response to ever be issued: … Continue reading How to Identify Log Sources Required to Expose Specific Activity in Azure Sentinel

Is it Time for an Analyst Assistant for Azure Sentinel?

Just a fun little blog post. Nothing serious here, just wanted to bring some joy into your life. I posted earlier about our new Incident Response Playbooks. These are awesome. And, if more of these are made available consistently, SOCs will have a great resource with which to build policies, procedures, and workflows specific to … Continue reading Is it Time for an Analyst Assistant for Azure Sentinel?

Incident Response Playbooks are the Guidance You Need

A new section has been developed and released in our Security Best Practices section of the docs platform. With hope that this will be built out further and we'll see additional guidance released, the Incident Response Playbooks section contains the following to start: PhishingPassword sprayApp consent grant Bookmark this page and watch for updates. These … Continue reading Incident Response Playbooks are the Guidance You Need

How and Why to Use the Closed Classification Properly for Azure Sentinel Incidents

There's been discussion recently over the classifications available when you close an Incident in Azure Sentinel. Specifically, those questions are around what each classification means and how applying the correct classification will make the system more intelligent. Incident Classifications Importance of Classifications Before digging into the definitions and recommendations for each classification, its important to … Continue reading How and Why to Use the Closed Classification Properly for Azure Sentinel Incidents

How to Get Prepped to Take the SC-200 Exam

The SC-200 exam is for the Microsoft Security Operations Analyst and contains questions and content about Azure Defender and Azure Sentinel. Its not a tough exam, by any means - particularly if you have worked with Defender and Sentinel for any length of time. Here's the skills that are measured with their approximate percentages of … Continue reading How to Get Prepped to Take the SC-200 Exam

How to Know the Azure Sentinel Feature Differences Between Government and Commercial Clouds

This has been one of the most popularly requested asks for Azure Sentinel customers for the last many months: How can I tell the feature differences between the government cloud and the commercial cloud for Azure Sentinel? Well, you no longer have to guess - or as I've done - maintained separate gov't and commercial … Continue reading How to Know the Azure Sentinel Feature Differences Between Government and Commercial Clouds

Three New 1st Party Data Connectors for Azure Sentinel Hit GA

In case you missed it, there three new Microsoft Data Connectors available for Azure Sentinel. These new connectors are mechanisms that create Diagnostic Settings for the Azure services using the Azure Policy wizard. Azure Policy Wizard The Azure Active Directory Connector works similarly, but created the Diagnostic Setting in a different way. The following are … Continue reading Three New 1st Party Data Connectors for Azure Sentinel Hit GA

Come Join Me in an Upcoming Webinar Talking Azure Sentinel with Difenda

I'm happy to announce I'll be joining a great partner, Difenda, on May 13th at 2pm EST to talk shop about Azure, security, and of course -- Azure Sentinel. Difenda is a Microsoft Gold partner that specializes in Azure Sentinel deployment, configuration, and optimization. I hope you can all register to join. They tell me … Continue reading Come Join Me in an Upcoming Webinar Talking Azure Sentinel with Difenda

How to Get UEBA Costs for Azure Sentinel

The cost for UEBA is nominal and based on the amount of data that is analyzed. Your costs will vary depending several factors. However, the following KQL query can be used to get the estimated cost of the solution. union withsource=TableName1 * | where TimeGenerated > ago(30d) //In the last 30 days | summarize Entries … Continue reading How to Get UEBA Costs for Azure Sentinel

Native Azure Sentinel Data Connector to Ingest AWS CloudTrail Logs

My good friend, Sreedhar Ande, who was a guest on the recent Microsoft Security Insights podcast episode and is the author of the fabulous PowerShell script to automating the export of Azure Sentinel data to long-term storage, has come up with another fantastic offering. Sreedhar has developed and released a data connector for ingesting AWS … Continue reading Native Azure Sentinel Data Connector to Ingest AWS CloudTrail Logs